Is more data always better?  Are companies collecting an unnecessary amount of consumer data?

The core of a CSO role is effective risk management and risk tolerance: business empowerment and risk tolerance alongside it. And I think if the perception around data is simply “more is better, more is more, the end,” it becomes difficult to have an informed risk tolerance around the acquisition of data. If there's no liability and there's a touring test kind of analog that has to happen in the courts for AI and ultimately the company behind it to be rendered liable, I look at this and I think, "What is legal's responsibility here for the implementation of AI?" And then we as cyber practitioners, if there is no liability behind certain algorithmic implications what then, for the larger status? And how do you form risk tolerance atop that.

38 views
6 comments
2 upvotes
Related Tags
Anonymous Author
The core of a CSO role is effective risk management and risk tolerance: business empowerment and risk tolerance alongside it. And I think if the perception around data is simply “more is better, more is more, the end,” it becomes difficult to have an informed risk tolerance around the acquisition of data. If there's no liability and there's a touring test kind of analog that has to happen in the courts for AI and ultimately the company behind it to be rendered liable, I look at this and I think, "What is legal's responsibility here for the implementation of AI?" And then we as cyber practitioners, if there is no liability behind certain algorithmic implications what then, for the larger status? And how do you form risk tolerance atop that.
0 upvotes
Anonymous Author
Shoshana Zuboff wrote a book called The Age of Surveillance Capitalism. It goes into how data driven advertising changes a person's behavior and subtly over time can guide a person to make a certain decision and argues that the more data you collect you can actually control people’s in person behavior. Additionally, it outlines the general lack of regulation across data. There is an ethical issue at hand here and also a tension as changes in privacy law will greatly impact companies that rely on advertisement revenue. What we’ve done and what you're starting to see in other companies is that the CISO is now the head of digital / consumer product engineering. This provides the opportunity to have someone with oversight of activities that use data that also takes to heart security and data privacy - this has to be a priority within product teams. We have people within our cyber team that have the specific responsibility product and consumer trust and I work hand in hand with the privacy team, having daily interaction. I think an interesting viewpoint on data collection and use of AI is, are the actions that are being driven from it something that people would expect us to be doing? If not, we probably shouldn't be doing it!
0 upvotes
Anonymous Author
We've used the term data in a very generic way, similar to how the term APT or cloud was being used many years ago. We use the term data homogeneously. There's data, there's information, there's intelligence and there's knowledge. And we and the greater American consumer confuse the terms. Data is the stuff that we gather that are facts and are not changeable. Information is data in context. Intelligence is that data or information that lies below the surface from another set that's not readily visible. And knowledge is what conclusions you draw from that. I teach my students this concept with a 10 digit number: 3013170124. Out of context it's a 10 digit number, it has absolutely positively no meaning. You throw context around it, you throw commas in certain places it's a number slightly over 3 million. You break it up into two groups of five, five groups of two, you put the three, zero up front and it's the area code for Belgium. You put a couple of dashes between the third and fourth and the sixth and seventh number you get a North American telephone number. And that is the correct context for this. Now, if I add another couple of pieces of data or information to tell you the 301 is one of the codes for Maryland and that I lived in Maryland from '95 to 2003 you may be able to glean some intelligence here that says that may have been my old phone number. When I have discussions about what we should be doing regarding data collection and then what we do with it, I try to swing the discussion so that we are determining what information or knowledge we're trying to gather and what we are trying to do with it, which then will precipitate what data we need. We seem so focused on collecting as much data as possible because we don't necessarily know what we can or want to do with it. We stop asking the questions: What is it I'm trying to gather or achieve, et cetera? And that can help frame the discussion regarding what we keep, what we don't keep and by the way how far we are willing to go to get that data. Adding to that the greater American public in my mind has not actually understood that distinction between data and information. I have a piece of data therefore I have information. They have conflated the two and we have seen countless examples of that, not the least of which is the stuff that's going on in the background in U.S. politics right now. But a lot of that has to deal with conflating data versus information versus knowledge. And if we're going to have these discussions we need to begin to separate those and define them appropriately.
0 upvotes
Anonymous Author
Is more data always better? To me, it all comes down to the usage intent of that data. If it's for understanding your business and making decisions based on data you're already collecting or that's publicly available, sure. If it's just additional information for the sake of collecting, that's a different story.
0 upvotes
Anonymous Author
We don't treat data as it being toxic and maybe if we thought about data as being toxic we would handle it with different care. I think we can relate data to chemicals and toxicity of chemicals particularly when you combine them in different forms and fashions and you don't know what you're doing because you're just trying to figure it out.
0 upvotes
Anonymous Author
Is more data always better?  Always, no. In 2020, and soon to be 2021, data is a liability.  If you have more data, that is more data that can be breached. If you have more data, and are in scope for GDPR, CCPA, etc., than there is a lot more data falling under regulations. More data is better if you have specific use cases that warrant if.  If not, every bit of data is a liability, and should be stored only if there is a specific need. And companies are collecting an unnecessary amount of consumer data.  They often do not realize it until they are on the receiving end of a warrant, subpoena, etc., and suddenly have a very rude awakening.              Are companies collecting an unnecessary amount of consumer data?
0 upvotes